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Signaling/setup/control 

SIP (Session Initiation Protocol) 

H323 

Skinny 

Clarent 

Yahoo proprietary 

Data - voice, fax, video 

RTP (Real-time Transport Protocol) 
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The Problem 




Setup and data may take different routes 
Different routes may be collected at different sites 
Routes may change 



Out bound 
Proxy Server 







12 

200 OK 
Contact: B 
SDP B 
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200 OK 
Contact: B 
SDP 9 
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ACK 



User Agent A 












Inbound 
Proxy Server 




11 

200 OK 
Contact: 9 
SDP B 




User Agent B 



Media (RTP) 
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Local site XKS identifies VOIP setup 
involving a tasked target 

Local XKS queries itself for corresponding 
RTP data 

If the local query fails, it is passed back to 
HQS for a cross-site query across the 
entire XKS network 

Forward hits to NUCLEON and generate 
summary reports 
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XKS Solution 





If we Q raUi tti€ rRnVJ te»U9Td it 
IseaJfcacross all servers 



If we found the RTP locally, 
forward it back. 



XKEYSCORE web Server 



Forward back 
results 





SSO site 





queries itself for the RTP on a hit 
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VOIP Hits 



Y 




Use this to find data for which. . . 



There was a dictionary hit on the VOIP signaling 
(TRAFFICTHIEF, CADENCE, OCTAVE, 
MARINA, UTT) 



We were able to find the RTP corresponding to 
the signaling information 
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VOIP Hits 



LUIVUIM I / /KCL I U 





XKEYSCQRE 


Welcoma: oper 


switch users 


jV Home Admin Users fS Workflow Central Search 


Results Lj Statistics ^ Preferences 


m Help 





Navigation Menu 



0 0 Search 
© CJ Classic 
© 0 Common 
© Q| Dictionary Hits 
© 0 File T ransf er 
© 0 MultiSearch 
© 0 Network Management 
FE 1 Search Wizard 
© 0 User Activity 
Ei 0) VoIP 
(3 Hits 
1+3 10 Sigdev 
© Q Wireless 



Search: Voip 



oper_0 



1 Day 



a 



Start: 



Query Name: 

Justification: 

Additional Justification: 

Miranda Number: 

Datetime: 

Email: 

Email: 

Name: 

Name: 

Phone Number: 

Phone Number: 

Country Phone Number: 

Country Phone Number: 

Tasking Type: 

Tasking Value: 

Dictionary: 

Category: | 

Priority: 

Target: 

Description: 

Contacts : | 
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2009-03-04 


□ 




00:00 


A 

M 


Stop: 



To 



3 







User/target information 

Email 

Name 

Phone number 
IP address 
Country code 

Content information 



Content type (audio, video, image) 

Control type (SIP, H323, skinny, clarent) 
Fingerprints - may indicate specific VOIP devices 
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VOIP Hits - Results 





ID ^ 


Datetime 


Datetime End 


Content 


From Email 


From Name 


From Phone# 


From Country# 


To Email 


91 


2009-03-03 05:05:28 


2009-03-03 05:03:42 


.Ol 

t 1 


d 


©yahoo 


"d 


ii 




h 


©yah 


92 


20019-03-03 06:41:22 


2009-03-03 06:42:33 




a 


©yahoo 


"a 






s 


©yahoo 


93 


2:009 03 03 09:39:09 


2000-03-03 09:43:05 




k 


@pllQO 


h 






s 


©yahoo 


94 


?OO9-O3-03 09:30:01 


2000-03-03 09:37:00 




h 


©yahoo 


h 








©yahoo 


95 


2OO0-O3-63 10:02:31 


2000-03-03 10:02:52 




h 


©yahoo 


h 






s 


©yahoo 


96 


2009-03-03 12:57:27 


2O00-O3-03 12:57:41 




Q 


@yatioo 


"V 






£J 


©yah 


91 


?OO0-O3-03 05:05:23 


2-000-03-03 05:03:42 




(1 


©yahoo 


"\l 


i 




h 


©ya 


98 


2000-03-03 00:41:22 


2000-03-03 00:42:33 




a 


©yahoo 


■■ 

fl 






s 


©yahoo 


99 


2OO0-O3-03 07:50:13 


2O00-O3-03 07:50:13 




0092 


© .23 




0234 


Pakistan 


0601 


@ 


100 


2009-03-03 07:50:18 


2009-03-03 08:04:15 


i 1 


0092 


© .23 




9234 


Pakistan 


6661 


© 
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VOIP Hits - RTP Viewer 



■ • 



O 



ED 



:tions T 


Reports T View T 








State 




l Datetime 


Datetime End 


Content 


From B 


al 




1 2009-03-03 05:05:23 


2009-03-03 05:03:42 


V 


6 


a 




2009-03-03 06:41:22 


2009-03-33 36:42:33 




a 


ED 


93 


2999-03-93 99:39:99 


2999-03-93 99:45:95 




h 


LD 


94 


2999-03-93 99:39:91 


2999-03-93 99:37:99 




h 


ED 


95 


2999-03-93 19:92:31 


2999-03-93 19:9?:5? 




h 




X-KEYSCORE C2C Session Viewer 



op Hi 




Datetime 

:0Q9-03-03 05:05:26 



Case Notation 

0000060 



From IP 

.61.14? 



To IP 



,11,214 



From Port To Port Prc 
10122 0052 UD 



Session 



Header (3) Meta (4) 



AUTO 







-j. 



Enter text to search 



k Clicks 

Session 



AUTO FORMATTER: app_id= multimedia/rtp/g729 l/iewer= RTP formatter, Info = 



Extracting RTP data. . . 



i/?lQne-Click Searches! 
















FI Find oo do site side of sessi 




# packets 


% packets 


§ bytes 


% bytes JA.it ts max ta 


jA.it seq 


max 3eq 


. 


39c4 


9733 


100. 0% 


194650 


100.0% 1695262977 1896820097 


0 


65505 


,61,149:10122 - 
















.11.214:80. 


payload 


# packets 


% packets 


§ bytes 


% bytes mit ts max t-s 


Him seg 


max seq 


FI Find traffic on 


g72 9 


9733 


100. 0% 


194650 


180.0% 1895262977 1896820097 


0 


65535 


j ,11,214 


IJiuiiiieL of Lad 


sequence : 


Lii.mbeLS=2 










| 1 ,61,149 
















FI Find aoDlication 


Decoding media 


■ ■ ■ ■ 












mu Iti m e dia/rtp/g 7 29 
















FI Find finaercrint 


09c 4 g729: 


raw decoded wav decoded au ri94. 


7 seel audio orccessina 






region/ 


combined. g729: 


raw decoded wav decoded au T9. 3 


seel audio crocessinc 








00000000 g729: 


raw decoded wav decoded au fO.O 


seel audio processing 
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VOIP Hits - audio 



■03 05 : 05:28 



Dote 


1 


1 


i 


200E; 




^ d Mow Playing 


V 



_n q riR'dJ 


■ " " Tinnc 




-03 09:3 


£mdio * 



■03 09:3 



• ft? .(jWi 




Media 

Guide 

Copy From 
CD 

Media 

Library 

Radio 

Tuner 

Copy to CD 
or Device 

Premium 

Services 

Skin 

Chooser 



get_session_new.php 




get_sessionjiew , php 

g e t_s e ssi u n jievv . php 




v B □ K 



3:14 



□3 ^ > Ambience : Bubble 
► Playing 




ft 0 



Total Time: 3:14 
00:11 



OD 



it 
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1 am Sigdev 



Y 



Use these search forms to find other VOIP 
not included in the VOIP Hits 



RTP 

SIP 

VOIP Setup 
Wireshark 



Home $%. Admin ^ Users s- Workfiov 



MaK iQB bicm Mernu 

0 S| Search 
0 Q Classic 
0 Q Common 
0 Q Dictionary Hits 
±J QFile Transfer 
0 □ MuftiS earch 
±j Q Network Management 
El Search Wizard 
0 Q User Activity 
0 Si VoIP 
[2 Hits 
&Q Sigdev 
^RTP 
^SIP 



El VoilQ Setup 
-~1 Wireshark 
±j f Wireless 
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Contact the team: 

xkeyscore@nsa.ic.gov 
http://xkeyscore^^^^H(go xkeyscore) 



Primary POCs for VOIP 




nsa.ic.gov 



@nsa. ic.gov 
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